X-Git-Url: http://git.ieval.ro/?a=blobdiff_plain;f=lib%2FPlack%2FMiddleware%2FAuth%2FComplex.pm;h=4efd0ecb48f1588d219e13fff4ea38338d40e41b;hb=876ab8b5a7befe3ee1d060f38cebf9de18e83fd0;hp=920810c2ffb392407b6d1975b12575c99310ecba;hpb=388ed2817a2e23c00f50d3d74d71c96c3d466a5a;p=plack-middleware-auth-complex.git diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm index 920810c..4efd0ec 100644 --- a/lib/Plack/Middleware/Auth/Complex.pm +++ b/lib/Plack/Middleware/Auth/Complex.pm @@ -13,11 +13,12 @@ use Authen::Passphrase; use Authen::Passphrase::BlowfishCrypt; use Bytes::Random::Secure qw/random_bytes/; use DBI; -use Digest::SHA qw/hmac_sha1_base64/; +use Digest::SHA qw/hmac_sha1_base64 sha256/; use Email::Simple; use Email::Sender::Simple qw/sendmail/; use MIME::Base64 qw/decode_base64/; use Plack::Request; +use Tie::Hash::Expire; sub default_opts {( dbi_connect => ['dbi:Pg:', '', ''], @@ -26,6 +27,8 @@ sub default_opts {( insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)', mail_subject => 'Password reset token', realm => 'restricted area', + cache_fail => 0, + cache_max_age => 5 * 60, token_max_age => 60 * 60 * 24, username_regex => qr/^\w{2,20}$/a, register_url => '/action/register', @@ -52,6 +55,12 @@ sub init { $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or die $self->{dbh}->errstr; } +sub create_user { + my ($self, $parms) = @_; + my %parms = $parms->flatten; + $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}) +} + sub get_user { my ($self, $user) = @_; $self->{select_sth}->execute($user) or die $self->{sth}->errstr; @@ -60,9 +69,17 @@ sub get_user { sub check_passphrase { my ($self, $username, $passphrase) = @_; + unless ($self->{cache}) { + tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}}; + $self->{cache} = \%cache; + } + my $cachekey = sha256 "$username:$passphrase"; + return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey}; my $user = $self->get_user($username); return 0 unless $user; - Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase) + my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase); + $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail}; + $ret } sub hash_passphrase { @@ -114,7 +131,7 @@ sub send_reset_email { header => [ From => $self->{mail_from}, To => $user->{email}, - Subject => $user->{mail_subject}, + Subject => $self->{mail_subject}, ], body => $self->mail_body($username, $token), )); @@ -161,7 +178,8 @@ sub call_register { return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ /$self->{username_regex}/; return $self->bad_request('Username already in use') if $self->get_user($parms{username}); return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password}; - $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}); + + $self->create_user($req->parameters); return $self->reply('Registered successfully') } @@ -348,6 +366,17 @@ C<'Password reset token'>. Authentication realm. Defaults to C<'restricted area'>. +=item cache_fail + +If true, all authentication results are cached. If false, only +successful logins are cached. Defaults to false. + +=item cache_max_age + +Authentication cache timeout, in seconds. Authentication results are +cached for this number of seconds to avoid expensive hashing. Defaults +to 5 minutes. + =item token_max_age Password reset token validity, in seconds. Defaults to 24 hours. @@ -395,6 +424,11 @@ Called at the end of the constructor. The default implementation connects to the database, calls C and prepares the SQL statements. +=item B(I<$parms>) + +Inserts a new user into the database. I<$parms> is a +L object containing the request parameters. + =item B(I<$username>) Returns a hashref with (at least) the following keys: passphrase (the